[jboss-user] [Security & JAAS/JBoss] - Re: Script to create wildcard certificate chain in keystore
mozkill
do-not-reply at jboss.com
Thu Dec 11 12:45:12 EST 2008
Here is the raw code for the DOS batch file if you dont want to visit the blog.
@echo off
| setlocal
| @rem ------------------------------------------------------------------
| @rem This script generates a server certificate suitable to be signed
| @rem by an authorized CA. If OpenSSL is installed, it can make a
| @rem signing CA for you.
| @rem
| @rem This script requires: OpenSSL, JDK
| @rem ------------------------------------------------------------------
|
| @rem set JBOSSHOME="C:\Justice\jboss"
|
| ::Get the home directory of the most recent JDK
| start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit\%JavaTemp%"
| type reg1.txt | find "JavaHome" > reg2.txt
| if errorlevel 1 goto ERROR
| for /f "tokens=2 delims==" %%x in (reg2.txt) do set JavaTemp=%%~x
| if errorlevel 1 goto ERROR
| echo Java home path (per registry) = %JavaTemp%
| set JAVAHOME=%JavaTemp%
| set PATH=%PATH%;%JAVAHOME%\bin
| del reg1.txt reg2.txt
| echo Detected JDK and added it to PATH.
|
| ::Get the home directory of OpenSSL
| start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\%SSLPath%"
| type reg1.txt | find "OPENSSL_PATH" > reg2.txt
| if errorlevel 1 goto ERROR
| for /f "tokens=2 delims==" %%x in (reg2.txt) do set SSLPath=%%~x
| if errorlevel 1 goto ERROR
| echo OpenSSL home path (per registry) = %JavaTemp%
| set OPENSSL_HOME=%SSLPath%
| set PATH=%PATH%;%OPENSSL_HOME%
| del reg1.txt reg2.txt
| echo Detected OpenSSL and added it to PATH.
| echo %PATH%
|
| @rem Create storage directories
| echo Creating work directories if they do not already exist.
| mkdir %OPENSSL_HOME%\..\myCerts
| cd %OPENSSL_HOME%\..\myCerts
| mkdir private
| mkdir %OPENSSL_HOME%\..\demoCA
| cd %OPENSSL_HOME%\..\demoCA
| mkdir private
| mkdir newcerts
| cd %OPENSSL_HOME%\..\
| echo Done.
|
| @rem Ask to create certificate authority
| set /P GENERATECA=Do you want to generate you own 10 year Certificate Authority? [y]:
| if "%GENERATECA%" == "" (set GENERATECA=y)
| @echo.
| if "%GENERATECA%" == "y" (
| openssl req -config %OPENSSL_HOME%\openssl.cfg -new -x509 -extensions v3_ca -keyout %OPENSSL_HOME%\..\demoCA\private\cakey.pem -out %OPENSSL_HOME%\..\demoCA\cacert.pem -days 1096
| )
| @ECHO Finished generating a certificate authority. Your site certificate will be signed with this authority.
| @echo.
|
| @rem Ask to create site certificate chain
| set /P GENCERT=Do you want to generate a site certificate signed by your Certificate Authority? [n]:
| if "%GENCERT%" == "" (set GENCERT=n)
| @echo.
| if "%GENCERT%" == "n" GOTO ERROR
|
| @ECHO Generating your server certificate inside a new keystore.
| @ECHO Enter *.your.domain if you wish to generate a wildcard certificate.
| keytool -genkey -alias tomcat -keyalg RSA -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb
|
| @ECHO Generating a certificate request that will be used by your certificate authority to sign your cert.
| keytool -certreq -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -file %OPENSSL_HOME%\..\myCerts\tomcat.csr
|
| @ECHO Ready to import the cacert.pem public cert from your self created CA in directory .\demoCA .
| keytool -import -alias root -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\demoCA\cacert.pem
|
| if exist %OPENSSL_HOME%\..\demoCA\private\cakey.pem (
| @rem If you have used this script to create a CA with openssl then this segment will sign the CSR with
| @rem your certificate authority from .\demoCA\private\demoCA.key and saves it as .\myCerts\tomcat.crt and converts it to DER format.
| echo Signing CSR and saving tomcat.crt
| copy /Y %OPENSSL_HOME%\PEM\demoCA\index.txt %OPENSSL_HOME%\..\demoCA
| copy /Y %OPENSSL_HOME%\PEM\demoCA\serial %OPENSSL_HOME%\..\demoCA
| openssl ca -config %OPENSSL_HOME%\openssl.cfg -policy policy_anything -out %OPENSSL_HOME%\..\myCerts\tomcat.crt -infiles %OPENSSL_HOME%\..\myCerts\tomcat.csr
| openssl x509 -in %OPENSSL_HOME%\..\myCerts\tomcat.crt -inform PEM -out %OPENSSL_HOME%\..\myCerts\tomcat.der -outform DER
| )
|
| @ECHO Ready to import CA signed CSR response into your keystores certificate.
| keytool -import -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\myCerts\tomcat.der
|
| @ECHO List the contents.
| keytool -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -list -v
|
| @rem Finally, copy the keystore to JBoss.
| @rem copy keystore.kdb %JBOSSHOME%\bin /y
|
|
| :ERROR
| echo Ending script.
| pause
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4196016#4196016
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4196016
More information about the jboss-user
mailing list